PocketSync Privacy Policy

What is PocketSync?

PocketSync provides two core features: Health Data Streaming and Cloud Sync. Each feature handles data differently and the relevant practices are described separately below.

Identity & Subscriptions

• Account identifiers: Email address (where supplied), device identifiers (iOS Vendor ID, Android ID), a UUID device ID generated at registration, and user IDs.
• Subscription data: Apple App Store and Google Play subscription identifiers and status, used to validate active access. Payment processing is handled entirely by Apple or Google — we do not store credit card numbers.
• Push notification tokens: Apple APNs and Google FCM tokens for delivering sync-completion notifications.
• Anonymous usage analytics: Firebase Analytics signals (app opens, screen views, feature usage). User-configurable.

Health Data Streaming

PocketSync reads Apple HealthKit data on your device and can write selected metrics to a Google Sheet you choose, stream them to Home Assistant, or send them to a custom webhook. Health data is processed on-device and sent directly to your configured destinations without passing through WeaveHub servers.

• HealthKit data: The metrics you explicitly authorize (e.g., heart rate, sleep, activity). Processed on-device and sent only to your configured destinations.
• Google Sheets data: Spreadsheet metadata (such as file name and ID) and the specific sheet contents needed to write metrics to the sheet you select. Google Sheets access is used solely to write your selected PocketSync metrics. We do not share Google user data obtained through Health Data Streaming with third parties.

Cloud Sync

Cloud Sync allows you to connect cloud accounts (Google, Microsoft, Dropbox, Box, and CardDAV/CalDAV providers) and sync files, contacts, and calendars between them. Unlike Health Data Streaming, Cloud Sync operates through WeaveHub infrastructure:

• OAuth tokens and credentials: When you connect a cloud account, we store an encrypted copy of your OAuth 2.0 access and refresh tokens (or CardDAV/CalDAV credentials). Tokens are encrypted with AES-256-GCM before storage in our database.
• File metadata: File paths, sizes, and modification dates from your connected accounts are stored to enable delta sync (transferring only changed files).
• Contact data: When syncing contacts, PocketSync reads and transfers contact records between providers. This may include names, email addresses, phone numbers, physical addresses, organization names, job titles, birthdays, notes, and profile photos. Contact data passes through WeaveHub infrastructure during transfer. Contacts contain personal data of third parties (the people in your address book). You are responsible for having a lawful basis to transfer this data.
• Calendar data: When syncing calendars, PocketSync reads and transfers calendar events between providers. This may include event titles, descriptions, attendee names and email addresses, locations, dates/times, recurrence rules, and reminders. Calendar data passes through WeaveHub infrastructure during transfer and may contain personal data of third parties (event attendees).
• Sync job configuration: Your sync rules (source, destination, sync mode, conflict-resolution preference, data type) are stored on our servers.
• Sync run history: Records of each sync run, including items synced, skipped, errored, and bytes transferred.
• Temporary data buffer: During a transfer, files are temporarily stored in a Cloudflare R2 buffer bucket while in transit between providers. Contact and calendar data is held in memory or temporary storage during transfer. All temporary data is automatically deleted within 1 hour of the transfer completing and is not retained beyond what is required for the sync to occur.
• Device identifier: A UUID device ID is generated at registration and stored in the iOS Keychain on your device. A SHA-256 hash of your API key is stored server-side to authenticate requests.
• Push notification tokens: FCM tokens for delivering sync completion notifications.

Cloud Sync does not access, read, or process the contents of your files, contacts, or calendar events beyond what is necessary to transfer them between providers. We do not index, analyze, scan, mine, or retain data contents after the transfer is complete.

Third-Party Personal Data in Contacts & Calendars

Contact and calendar sync involves processing personal data of third parties — the people in your address book and calendar event attendees. By using contact and calendar sync, you represent that you have a lawful basis (such as legitimate interest or consent) to transfer this personal data between providers through WeaveHub infrastructure. WeaveHub processes this third-party data solely as your processor, under your instructions, and does not use it for any independent purpose.

PocketSync's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Server-side storage of Google OAuth tokens, Google Drive file metadata, Google Contacts, and Google Calendar data is strictly necessary for providing Cloud Sync functionality and is not used for advertising, profiling, or any unrelated purpose.

Data Storage & Protection

• Health Data Streaming: No Google Sheets user data or HealthKit data is stored on WeaveHub servers. Google Sheets access is via OAuth over HTTPS.
• Cloud Sync: OAuth tokens and CardDAV/CalDAV credentials for connected providers are encrypted with AES-256-GCM and stored in a Cloudflare D1 database. API keys are hashed with SHA-256 before storage. Files in transit are temporarily held in a Cloudflare R2 buffer bucket and automatically deleted within 1 hour. Contact and calendar data is held in memory or temporary storage during transfer. File metadata, contact/calendar sync state, and sync history are stored in Cloudflare D1. All API communication uses HTTPS via a Cloudflare Worker.
• Sensitive data is protected using industry-standard encryption in transit (TLS) and at rest.

Data Retention & Deletion

• Health Data Streaming: WeaveHub retains no HealthKit or Google Sheets data on its servers. Revoke Google Sheets access at any time in your Google account settings.
• Cloud Sync: When you disconnect a cloud account, we delete the corresponding encrypted OAuth tokens or CardDAV/CalDAV credentials from our database. Deleting a sync job deletes all associated file metadata, contact/calendar sync state, sync history, and any data on WeaveHub servers associated with that job. Files in the R2 transfer buffer are automatically deleted within 1 hour regardless of account status. Database backups that may contain Cloud Sync data are retained for 30 days and then permanently deleted.
• You may revoke PocketSync's access directly through your cloud provider's app permissions settings (e.g., Google Account, Microsoft Account, Dropbox Settings, Box Account). Device identifiers can be removed by uninstalling the app.
• You may request deletion of your data at any time by contacting us. We will respond to deletion requests within 30 days.

Third-Party Service Providers

• Cloudflare, Inc. — Hosting, Workers runtime, D1 database, R2 object storage
• Apple Inc. — Push notifications (APNs), App Store distribution, HealthKit framework
• Google LLC — Firebase Analytics, Cloud Messaging (FCM), Play Store distribution, Google Drive API, Google Contacts API, Google Calendar API (Cloud Sync), Google Sheets API (Health Data Streaming)
• Microsoft Corporation — OneDrive, Outlook Contacts, Outlook Calendar / Microsoft Graph API (Cloud Sync)
• Dropbox, Inc. — Dropbox API (Cloud Sync)
• Box, Inc. — Box API (Cloud Sync)
• CardDAV/CalDAV providers — Any user-configured CardDAV or CalDAV server for contact and calendar sync (Cloud Sync). The specific provider depends on your configuration.
• Stripe, Inc. — Payment processing for non-store subscription paths

Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), UK, and Switzerland, we process PocketSync personal data under the following legal bases:

• Performance of a contract (Article 6(1)(b)): Processing necessary to provide the PocketSync service you requested, including Cloud Sync operations, Health Data Streaming, and account management.
• Legitimate interests (Article 6(1)(f)): Anonymous analytics to improve our products and services, provided these interests are not overridden by your data protection rights.
• Consent (Article 6(1)(a)): Where you explicitly authorize access to HealthKit data or cloud storage accounts through OAuth.

Automated Processing

PocketSync Cloud Sync runs scheduled sync jobs automatically (approximately every 5 minutes when active). These automated processes access your connected cloud accounts, compare metadata to detect changes, and transfer new or modified files, contacts, or calendar events between providers as configured in your sync job. No human review of your data occurs during this process. You can pause or delete sync jobs at any time within the app. No automated decision-making or profiling as defined under GDPR Article 22 is performed.

Data Processing Agreement

If you process personal data of third parties through PocketSync Cloud Sync (for example, contacts or calendars belonging to other people), the PocketSync Data Processing Agreement describes WeaveHub's processor obligations under GDPR Article 28.

Changes to This Policy

We may update this product-specific policy from time to time. Material changes will be noted on this page with an updated "Last updated" date. Continued use of PocketSync after a change means you accept the updated policy.

Contact

Questions about PocketSync privacy, your data, or this policy? Contact WeaveHub Technologies.